Can two web applications (servlet contexts) share the same session object?

By default, the session object is context-specific. Although a few servlet containers (Tomcat, Resin) may allow web applications to share session contexts by means of the "crosscontext" setting within the deployment descriptor, by default, that should not be allowed for security purposes and must be used cautiously only for admin-type applications.